Will Advanced Threat Analytics help me with all operating systems?

A frequent question I get from customers is, will Microsoft’s Advanced Threat Analytics (ATA) help me detect suspicious activity on my network, regardless of the operating systems in my environment? “YES!” is the short answer. Any user or entity that connects to the network via Active Directory (AD), queries the DNS servers, or authenticates with AD is inspected for anomalous activities, regardless of the operating system. And the approach is agentless.

Linux, or for that matter any *nix operating system, can use Active Directory credentials to run line of business (LOB) applications. Individuals and entities use their endpoint to authenticate to resources they need on the servers, through NTLM or Kerberos authentication protocols whether it’s Windows or Linux or another *nix operating system. Identity, therefore, is fundamental to all environments, and ATA takes advantage of this fundamental need for an identity solution to help you detect anomalous activities regardless of the operating system upon which your network runs. It can transcend the respective operating systems in that environment (including domain joined routers and switches). Windows and *nix machines are simply endpoints.

The screenshot below shows an attack. Attackers will compromise a user’s credentials, whether from a Mac or Windows endpoint and move laterally, hunting for elevated privileges or users with privileged credentials (e.g., administrators). The tool being used for this malicious activity is PSEXEC. PSEXEC was originally designed to be used by systems administrators to aid them in their work. It’s a command line remote administration tool to allow for remote execution of processes to help admins. As is the case with a lot of tools, it can also be used for malicious activity by adversaries.

The adversary set up a PSEXEC session through SMB (a protocol frequently used for authentication for file shares), using the user’s legitimate credentials. They established the SMB authentication and then stole the hash. The NTLM hash has been injected into a PSEXEC session through an SMB password.

This is a typical scenario from attackers: they harvest a set of credentials (on a system) and use it to move laterally. The command-and-control (C2) of the attacker can give them legitimate access across operating systems through this Identity layer. With ATA’s machine learning user/entity behavioral analytics, as well as detections such as the PSEXEC activities against a Domain Controller described above, network defenders can be alerted on this suspicious activity and act quickly and decisively.

ATA is a User-Entity-Behavioral Analytics (UEBA) detect product that identifies Advanced Persistent Threats (APTs) on your network. It will issue alerts if it sees suspicious activities including recon, lateral movement, re-use of compromised credentials, privilege escalation and domain dominance and is one of the only tools to concentrate on detecting the adversary in their post-exploit phase, that is, detecting them after they’ve already established a foothold. Having this level of visibility to the suspicious activity of your users, entities, and machines is critical for any enterprise.

Recent Posts from EMS Leaders

Everyone (and I mean everyone) on the Microsoft 365 team has been pursuing some very ambitious goals in the ten months since we launched Microsoft 365. Those goals have all been laser focused on one key thing: Helping our customers effectively navigate their own unique path towards the digital transformation that they need to succeed...

Howdy folks, Today I’m happy to announce the public preview of the PingFederate configuration integration in the latest release of AADConnect. With this release customers can easily and reliably configure their Azure Active Directory environment to use PingFederate as their federation provider, and we’re excited to offer a more seamless integration experience to our customers....

If you ever got to shadow a Microsoft leader for a day and listen in on the meetings they attend, I think you’d be surprised by how much time is spent talking about how to support the day-to-day work done by IT Pros. We think about this constantly. A lot of answers to these questions...

On Wednesday we announced that the Microsoft Intune APIs being surfaced through Microsoft Graph have been moved from “preview” to Generally Available. We are really excited about this milestone, and we look forward to learning how to make it even better as you give us feedback and direction on the way you want to use...

Last week at Microsoft Ignite, more than 25,000 IT professionals converged in Orlando Florida to learn about Microsoft’s technology advancements, skill up across new products, and meet with Microsoft experts. For EMS we unveiled a wave of new capabilities, presented more than 45 sessions, and met with thousands of customers. I wanted to take a...